Malware Analysis Report

2024-11-30 21:20

Sample ID 231230-pc184sefhm
Target 182374bdd6f6c2fa1148771424bdbd3d
SHA256 354b1fb3e205d8905d6a01a281c3c6a58c5f326953d7b40dcb28277596bf6886
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

354b1fb3e205d8905d6a01a281c3c6a58c5f326953d7b40dcb28277596bf6886

Threat Level: Known bad

The file 182374bdd6f6c2fa1148771424bdbd3d was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 12:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 12:11

Reported

2023-12-31 20:18

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\182374bdd6f6c2fa1148771424bdbd3d.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBLa36Gcd\MDMAppInstaller.exe N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7KUE2a N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7KUE2a\DUI70.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7KUE2a\SysResetErr.exe N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBLa36Gcd N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBLa36Gcd\WTSAPI32.dll N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\7KUE2a\\SYSRES~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jkYcP\SysResetErr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V64tEUlv\SystemSettingsAdminFlows.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SmB8p3\MDMAppInstaller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 936 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3436 wrote to memory of 936 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3436 wrote to memory of 3468 N/A N/A C:\Users\Admin\AppData\Local\SmB8p3\MDMAppInstaller.exe
PID 3436 wrote to memory of 3468 N/A N/A C:\Users\Admin\AppData\Local\SmB8p3\MDMAppInstaller.exe
PID 3436 wrote to memory of 3708 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3436 wrote to memory of 3708 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3436 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\jkYcP\SysResetErr.exe
PID 3436 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\jkYcP\SysResetErr.exe
PID 3436 wrote to memory of 4280 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3436 wrote to memory of 4280 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3436 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\V64tEUlv\SystemSettingsAdminFlows.exe
PID 3436 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\V64tEUlv\SystemSettingsAdminFlows.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\182374bdd6f6c2fa1148771424bdbd3d.dll,#1

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\SmB8p3\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\SmB8p3\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\V64tEUlv\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\V64tEUlv\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\jkYcP\SysResetErr.exe

C:\Users\Admin\AppData\Local\jkYcP\SysResetErr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
GB 88.221.135.217:80 tcp
US 20.12.23.50:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 52.142.223.178:80 tcp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.41:443 tcp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 2.17.5.100:80 tcp
US 2.17.5.100:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 20.12.23.50:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/4520-1-0x0000000140000000-0x0000000140336000-memory.dmp

memory/4520-0-0x0000024836A10000-0x0000024836A17000-memory.dmp

memory/3436-10-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-14-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-17-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-18-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-21-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-23-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-28-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-30-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-29-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-27-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-26-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-25-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-24-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-22-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-19-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-20-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-16-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-15-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-33-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-37-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-38-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-42-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-43-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-45-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-44-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-41-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-40-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-39-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-36-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-35-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-34-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-46-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-49-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-53-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-56-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-59-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-60-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-63-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-65-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-64-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-70-0x00000000022C0000-0x00000000022C7000-memory.dmp

memory/3436-62-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-61-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-57-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-58-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-78-0x00007FFE4AD40000-0x00007FFE4AD50000-memory.dmp

memory/3436-55-0x0000000140000000-0x0000000140336000-memory.dmp

C:\Users\Admin\AppData\Local\SmB8p3\WTSAPI32.dll

MD5 7ba5bee90a21581a2c66ee01293083bb
SHA1 a4932e02bbf8b957d8889f59cf35c39d9df13cc9
SHA256 3838f4c230d744e03e89125db8dd32c01f015073cfec374a6b6cfcad44c2bf4d
SHA512 23d46241ab4dc24f8ebf3d42258a330882c4ea9874a779c01d0cb411435ca27f4ccb573fcdcb425b27d1fcf15fd242b45bb39d084f52dff3b31d694bea3b88e4

memory/3468-99-0x0000023331A80000-0x0000023331A87000-memory.dmp

C:\Users\Admin\AppData\Local\SmB8p3\WTSAPI32.dll

MD5 b435f87ff372167e5074404ca1d7539b
SHA1 0516065b814d8738e06c3e75607970ea2cdddb82
SHA256 81490f5e5072ddd164c532311d005e822f9b85dbd21221b7ac995f103403d823
SHA512 8425e305434f14b830604e47bc935b052f5754bee7adaeb9687a1e5c5c924e63745db79b5d16dddd89f92feea956c03c6c8d84724224c6c33278e994edb13c42

C:\Users\Admin\AppData\Local\SmB8p3\MDMAppInstaller.exe

MD5 30e978cc6830b04f1e7ed285cccaa746
SHA1 e915147c17e113c676c635e2102bbff90fb7aa52
SHA256 dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512 331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

memory/3436-54-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-52-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-51-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-50-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-48-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-47-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-31-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-32-0x0000000140000000-0x0000000140336000-memory.dmp

C:\Users\Admin\AppData\Local\jkYcP\DUI70.dll

MD5 2382aaff4e1f330c018831985d8cd1eb
SHA1 2d8821cfb692bf882f9e171e4dd5b1d94de28465
SHA256 7a1335ded00dcf8f2b99321baf0825b5b78974c9d20d1c39e86d991e46937378
SHA512 e4365b5067e155497e23f131dd82c46a07e4a3829abb972d5b625bdd0a6ff8429a19135a90265be192a3813eea19c946e2f70326c7b538647a663b9b28123206

memory/4432-116-0x000001D1C9210000-0x000001D1C9217000-memory.dmp

C:\Users\Admin\AppData\Local\jkYcP\SysResetErr.exe

MD5 090c6f458d61b7ddbdcfa54e761b8b57
SHA1 c5a93e9d6eca4c3842156cc0262933b334113864
SHA256 a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512 c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

C:\Users\Admin\AppData\Local\V64tEUlv\newdev.dll

MD5 6ee0d857a2d6b27a7b74053f7f3dc4c1
SHA1 a9665109d59d5b157c50cca1d5f650d132593478
SHA256 2c528d32965c7c82e4829e2d157ccd910a8c7e244befc1158a612fb04a79ab7e
SHA512 05d607f898726c66c0764e2873f8a08b6f8a599a344700616cf2fcd01d9c92d0318381afc595413b51b2a9401ab51cb57ba3e5ec24ae24d2f93c081be89c122b

memory/3560-133-0x0000020BD58A0000-0x0000020BD58A7000-memory.dmp

C:\Users\Admin\AppData\Local\V64tEUlv\newdev.dll

MD5 c4c821caa50353c3d436c68c65d6ec81
SHA1 810fbca70d064ec0b92f979597a62cbc77efe572
SHA256 5e6db370747a8d19c39f3a3b0e48e44325163a563fb5c8b26426e55bf3992902
SHA512 4b989849848084613676823c56508f1a332e107709617af31f266d6bf4dc68d1124fe8ab80fb750867b3ffb65d046f4f528dd20b0e142fa839032b91b689864a

C:\Users\Admin\AppData\Local\V64tEUlv\SystemSettingsAdminFlows.exe

MD5 50adb2c7c145c729b9de8b7cf967dd24
SHA1 a31757f08da6f95156777c1132b6d5f1db3d8f30
SHA256 a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec
SHA512 715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

C:\Users\Admin\AppData\Local\jkYcP\DUI70.dll

MD5 5d83618c54e7b34c185a5379baae96fd
SHA1 ced991c1dc3bb4d74c7e4bb0295e186e988cd149
SHA256 7b894d83db255f2fefdf8ecfc42eee536d034f15ebf6bf3eaf28175166a1e110
SHA512 bfe9174eecc606be61d77e2aea9911f5b6a8afa273a7c1e73552cde756344082be8f72e3ca79556ea4636e3b99d6b650c4322a66cd9f126f2d6f7b4ef259c5c4

memory/3436-13-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-12-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-11-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-9-0x00007FFE49EFA000-0x00007FFE49EFB000-memory.dmp

memory/3436-8-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-7-0x0000000140000000-0x0000000140336000-memory.dmp

memory/4520-6-0x0000000140000000-0x0000000140336000-memory.dmp

memory/3436-4-0x00000000023C0000-0x00000000023C1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 12:11

Reported

2023-12-31 20:17

Platform

win7-20231129-en

Max time kernel

7s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\182374bdd6f6c2fa1148771424bdbd3d.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\IIjK\\TpmInit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2932 N/A N/A C:\Windows\system32\consent.exe
PID 1360 wrote to memory of 2932 N/A N/A C:\Windows\system32\consent.exe
PID 1360 wrote to memory of 2932 N/A N/A C:\Windows\system32\consent.exe
PID 1360 wrote to memory of 2988 N/A N/A C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe
PID 1360 wrote to memory of 2988 N/A N/A C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe
PID 1360 wrote to memory of 2988 N/A N/A C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe
PID 1360 wrote to memory of 1308 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1360 wrote to memory of 1308 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1360 wrote to memory of 1308 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1360 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe
PID 1360 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe
PID 1360 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe
PID 1360 wrote to memory of 2768 N/A N/A C:\Windows\system32\Utilman.exe
PID 1360 wrote to memory of 2768 N/A N/A C:\Windows\system32\Utilman.exe
PID 1360 wrote to memory of 2768 N/A N/A C:\Windows\system32\Utilman.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\182374bdd6f6c2fa1148771424bdbd3d.dll,#1

C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe

C:\Users\Admin\AppData\Local\pyYBrVT\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe

C:\Users\Admin\AppData\Local\DG9WF\TpmInit.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\VkecEyzNG\Utilman.exe

C:\Users\Admin\AppData\Local\VkecEyzNG\Utilman.exe

Network

N/A

Files

memory/1764-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1764-1-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-4-0x00000000770B6000-0x00000000770B7000-memory.dmp

memory/1360-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1764-8-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-12-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-22-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-31-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-38-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-48-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-57-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-65-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-64-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-79-0x0000000077420000-0x0000000077422000-memory.dmp

memory/1360-78-0x00000000772C1000-0x00000000772C2000-memory.dmp

memory/1360-75-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1360-63-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-62-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-61-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-60-0x0000000140000000-0x0000000140336000-memory.dmp

memory/2988-106-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1360-59-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-58-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-56-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-55-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-54-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-53-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-52-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-51-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-50-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-49-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-47-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-46-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-45-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-44-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-43-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-42-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-41-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-40-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-39-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-37-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-36-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-35-0x0000000140000000-0x0000000140336000-memory.dmp

memory/2772-132-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1360-34-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-33-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-32-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-30-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-29-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-28-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-27-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-26-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-25-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-24-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-23-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-21-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-20-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-19-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-18-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-17-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-16-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-15-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-14-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-13-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-11-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-10-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-9-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1832-156-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1360-7-0x0000000140000000-0x0000000140336000-memory.dmp

memory/1360-185-0x00000000770B6000-0x00000000770B7000-memory.dmp